Can A Cybercrime Convention For All Be Achieved?

A new UN cybercrime treaty process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it. 

At the end of February, negotiations for a UN treaty to counter cybercrime began. This is significant for many reasons.

Firstly, while there are several instruments that address cybercrime, this is not only the first time states are negotiating a binding UN instrument on cybercrime, but also the first time states are negotiating a binding instrument on any cyber issue.

Secondly, the convention has the potential of reducing impunity of cybercriminals by harmonizing national approaches to criminalization. Relatedly, the convention could play a crucial role in improving international cooperation by providing effective investigatory frameworks and facilitating cross-border data exchange.

Moreover, the convention  could help build the capacity of countries with less experience in tackling cybercrime and provide the basis for technical assistance.

Challenges Lie Ahead

Despite such potential, the process of negotiation will not be straightforward. This became glaringly evident during the first of six rounds of negotiations, held between the 28th of February and the 11th of March, when several areas of divergence but also convergence emerged.

Cybercrime causes significant harm to developing countries’ societies and economies, which has only been exacerbated by the pandemic.

Over the course of the first ten days of negotiations, many delegations from developing countries expressed their urgent need for a practical legal tool that could help them tackle cybercrime. This issue causes significant harm to their societies and economies, which has only been exacerbated by the COVID-19 pandemic.

Many developing countries – including those represented by CARICOM – are optimistic about the role this convention could play in fighting cybercrime, bridging the digital divide, and harnessing the potential of ICTs. 

But to get there, there are key points that states need to agree on. One of which is what is cybercrime and what should be included in the scope of the treaty?

Narrow Scope of Cybercrimes

Countries have varied objectives of what they want this treaty to achieve. Western countries, for example, want to see a convention which includes a narrow scope of crimes. ‘Pure cybercrimes’ are known as cyber-dependent crimes, which refers to crimes that cannot happen without the use of ICTs.

These are often ones where a computer or data is the target of the criminal activity, such as malware, denial of service attacks, ransomware, etc. and include crimes that do not predate the existence of ICTs. Cyber-dependent offences have definitions broadly recognized by all countries.

They also advocate for including certain cyber-enabled crimes. These are traditional crimes where ICTs were used as an instrument, rather than as a target of the offence. The concept of cyber-enabled crimes applies to a very broad range of offences given how ICTs have infiltrated almost every aspect of our lives. So the offences that they have argued to be included are the ones where the use of ICTs significantly increase the scope, speed, scale of the crime but also the anonymity of the perpetrator.

For these offences, two main examples are often given: online child sexual exploitation, and computer fraud. They call for strong human rights safeguards to be embedded throughout the treaty.

Expanded Scope Of Cybercrimes

Other countries, such as India for example, have stated that a limited convention may create more problems than solutions as technology evolves. They call for an expanded scope in the convention which, in addition to the pure cybercrimes, would include a longer list of cyber-enabled crimes.

The lists of offences vary between countries but include offences such as the use of ICTs for terrorist reasons, the distribution of narcotic drugs, and arms trafficking, in addition to content-related offences such disinformation, coercion to suicide, hate speech, extremism and others.

This expanded scope entails risks. First, several of those suggested traditional crimes are addressed in other instruments. Including them in this convention risks not only duplication of efforts but contradiction with other treaties, as well as with national approaches to these issues.

Second, some of the suggested content offences, such as extremist content, are treated differently in national jurisdictions. While some content is considered a criminal offence in one jurisdiction, it might be subject to civil liability in other jurisdictions or entail no liability at all.

The UN Human Rights Office highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression.

In its submission to the process, the UN Human Rights Office stated that a future convention should focus on core cybercrimes and should avoid including content offences. It highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression by criminalizing various online content related to extremism, terrorism, public morals or hate speech. The OHCHR stressed the importance of a future international instrument on cybercrime not to be interpreted as justification for such steps.

The Risk Of No Consensus

But it is very important to note that this debate on trying to define what should and should not be considered cybercrime is at least a decade old. This debate has happened in several contexts including at the UN, where an agreement on a single definition of cybercrime was not possible.

There is nothing to suggest that this might change in the context of this process. Ultimately, this means there is a risk of not achieving consensus, and not having a convention at the end of this rather short process. If this was to happen, the countries who will probably be most affected are the developing countries.

Most developed countries have systems, resources, expertise and capabilities in place which enable them to tackle cybercrime. Western countries, for example, have a long history of working on cybercrime issues nationally but also regionally and internationally. They are state parties to the Budapest Convention and have good cooperation mechanisms within regional bodies such as Europol.

However, the same cannot be said about developing countries. As some delegations have highlighted during the negotiations, often international cooperation on cybercrime does not fail due to lack of will but rather lack of capacity. And whilst some of these countries have also ratified the Budapest Convention, their resources and capabilities tend to be unsurprisingly significantly less than those of developed countries.

Whilst some developing countries have also ratified the Budapest Convention, their resources and capabilities to tackle cybercrime tend to be unsurprisingly significantly less than those of developed countries.

Whether or not a UN convention on cybercrime is needed is also an old debate. However, the process currently underway presents an opportunity for many delegations from the developing countries to have a tool that would facilitate international cooperation on cybercrime and help them tackle the challenge. But can this be achieved in this process?

A Legal Basis For Gathering Data

Despite the differences between countries on how to define cybercrime for the purpose of the treaty and what to include in the scope, most countries acknowledge that the convention should include criminal activities committed that are broadly recognized by the international community.

Some delegations have suggested that the convention could act as a legal basis for the gathering of electronic evidence without linking cooperation to the investigation of certain offences that the convention sets out.

As put in the Chinese submission to the UN process, ‘regarding other crimes committed by using ICTs, member states could prevent and combat relevant crimes, which are not listed in this convention, and carry out international cooperation in accordance with this convention, other international conventions and their respective domestic laws.’

This approach has been successfully used in the context of the United Nations Convention against Transnational Organized Crime (UNTOC) where the convention criminalized a specific set of core types of organized crime activity but included broad international cooperation provisions that can be applied to other types of serious crime committed.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that is impeding them from harnessing the potential of ICTs.

Several states have argued for a similar approach to be followed in this process which would mean that defining the different types of criminal behaviour becomes less important as states will have a legal basis for gathering and exchanging data, irrespective of the criminal offences covered in the convention.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that they have been grappling with for several years, a problem that is impeding them from harnessing the potential of ICTs in their own countries.

Countries realize that this convention can give them the tools they need to leapfrog into a place where they have a better grip of the situation. How likely it is that this will happen is difficult to say, but what is clear is that this process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it.

Joyce Hakmeh is Senior Research Fellow, International Security Programme  at Chatham House and  Co-Editor of the Journal of Cyber Policy.

You Might Also Read: 

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:

 

« US Banks Hit By Russian Cyber Attacks
No future For IoT Security Without Secure Access Service Edge (SASE) »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

International Association for Cryptologic Research (IACR)

International Association for Cryptologic Research (IACR)

(IACR is a non-profit scientific organization whose purpose is to further research in cryptology and related fields.

Digital Defense Inc (DDI)

Digital Defense Inc (DDI)

DDI offers vulnerability scanning, penetration testing, web application testing, social engineering and additional security assessments.

Maryman & Associates

Maryman & Associates

Maryman & Associates are specialists in computer forensic investigations, incident response and e-discovery services.

CONCERT

CONCERT

CONCERT is a Computer Emergency Response Team and cyber security information sharing network for companies, institutes and government in Korea.

Bericon Forensics

Bericon Forensics

Bericon is one of the longest established forensic science consultancies in the UK. Activities include computer and mobile phone forensics.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

Soracom

Soracom

Soracom offers secure, scalable, cloud-native connectivity developed specifically for the Internet of Things.

Nameshield Group

Nameshield Group

Nameshield is one of most experienced domain name registrars, trademark protection specialists and managers of online reputational risk in the world today.

Blackfoot Cybersecurity

Blackfoot Cybersecurity

At Blackfoot, we work in partnership with you to deliver on-demand cyber security expertise and assurance, keeping you one step ahead of threats & compliant with regulations.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

TriagingX

TriagingX

TriagingX successfully created the first generation malware sandbox that is being used by many Fortune 500 companies for daily malware analysis.

Clear Thinking Solutions

Clear Thinking Solutions

Clear Thinking is an IT Solutions company specialising in secure & compliant technical services.

Symbol Security

Symbol Security

Through situational learning, simulations, and a gamified user experience, Symbol strengthens the cyber awareness of employees and helps companies lower cyber risk.

SideChannel

SideChannel

At SideChannel, we match companies with an expert virtual CISO (vCISO), so your organization can assess cyber risk and ensure cybersecurity compliance.

Rescana

Rescana

Rescana offers a cyber risk management platform with the vision to remove the security team bottlenecks, accelerating business processes that require risk assessment.